Legal

GDPR: Are you ready?

23 April 2018

In just four weeks, Europe will witness the biggest shake up of data protection laws in 25 years. Charities must be prepared for the 25 May deadline...

The General Data Protection Regulation (GDPR) puts a strong emphasis on the privacy and security of individuals and the ICO will come down hard on organisations that fall foul of its stipulations. Many charities are still reporting that they are yet to prepare for the incoming regulation, so here is a recap of what you need to know:

Consent

Under the GDPR consent cannot be smuggled into obscure terms and conditions, and data subjects can withdraw consent at any time. This puts a higher burden on both staff and the written communications the disseminate to clearly communicate the aims and objectives of your data processing activities. This will have a knock-on effect on your marketing and outreach processes.

Privacy by design

The GDPR principle of Privacy by Design means that data protection must be built into all systems from ground level, and not added as an afterthought. That means that it will be a regular occurrence for charities to engage in data audits to make sure their protocols are up to scratch.

Time and care will need to be taken when, for example, writing marketing copy. Make sure you have fully explained the purpose of data collection to data subjects (that's anyone whose data you store); that means greater oversight when designing data capture protocols.

Your marketing team will need to be more thoughtful and vigilant in the way they go about their work. Being upfront and open is actually a very effective way to engage in marketing, but let's face it, have you ever seen a marketer say no to an email address or three? Your marketing team need to understand this key point, but so too will other departments who put pressure on marketing to grow the organisation. Under the GDPR, the cost of spammy marketing techniques will just be too high.

Data Protection Officers (DPOs)

Charities may need to appoint a Data Protection Officer (DPO) to oversee GDPR compliance. Any DPO you appoint will need to be given the resources and freedom they need to ensure GDPR compliance and report back to the highest levels of your organisation. The DPO role can be assigned to an existing employee, as long as they will have the flexibility to carry out their duties.

Although the GDPR is slightly vague on precisely which organisations require a DPO – it requires public bodies and organisations that process personal data on a ‘large scale’ to have one – but it would be a sensible move to appoint one anyway, that way there's ultimate accountability.

Access, portability and the right to be forgotten

Data subjects have a right to request confirmation as to whether you are processing their personal data, and data portability stipulations require that subjects be provided with all personal data you hold on them in a transferable digital format. Subjects also have the right for their data to be deleted once it is no longer being used for the purposes for which it was acquired.

These points throw up technical and logistical challenges, especially for small charities who don't have lots of resources. Your IT team will need to be fully aware of data processing requirements and be fully resourced to implement GDPR compliant systems. If they don't have the resources, these need to be allocated, and room needs to be made in your charity's budget. In some cases, charities who carry out data processing in-house may want to outsource elements of this work or hire cloud-based data processing systems that allow for GDPR compliance.

Breach notification

Data controllers and customers must be informed of any data breaches within 72 hours of the breach. While a breach is open, you are liable to receive an enforcement notice from the ICO. This could be far-reaching, like the notice served to the Alzheimer's Society back in 2016. The charity was pulled up for a series of breaches committed by untrained volunteers who were;

The Society had been informed of these breaches in 2014, but the ICO determined that not enough had been done to rectify them. The Society were ordered to provide full data protection training and implement security protocols including ensuring their website wasn't vulnerable. They failed to implement this last stipulation and the following year the Society's website was hacked, putting hundreds of thousands of contact details at risk.

Charity professionals should learn from this experience. Charities need to be responsive to data breaches when they are flagged up, and make sure they respond in a comprehensive way to any shortcomings rather than risk eye-watering fines under the GDPR.

Legal

Legal teams will need to make sure they understand the 90-page GDPR regulations inside out. Attention will need to be paid to how the legal team can play an active role in ensuring compliance, and they will need to liaise with all relevant departments; including IT, marketing, HR, and volunteer management.

They will need to not only ensure that there is a legal basis for existing data processing, but that future charity activities are OK'd in terms of meeting GDPR rulings. And they will need to be prepared to fight your charity's corner if you decide to appeal a fine, if you think you have a defence under the GDPR.

GDPR training

We've touched on some of the key departments and personnel who will be affected by the GDPR. This should highlight the need for GDPR training to be widespread throughout your organisation. This is especially relevant for charities where each staff member is likely to come into contact with data subjects, and may be involved in regular fundraising and outreach activities themselves. You have an obligation to be informed and vigilant about data protection at all levels of your operations.

There are already a host of companies offering GDPR training for your organisation. There's likely to be a lot of misinformation out there as this is not only a potentially lucrative area for unscrupulous consultants, but the GDPR is a very comprehensive, rather unrelenting set of 99 articles that are wide-ranging and have international reach.

The point is that, like it or not, the four letters - G.D.P.R - are soon to be on the lips of charity professionals across the UK. You have a choice to either be dragged kicking and screaming into a new era of person-centric data protection, or take the lead on integrating this new, enlightened framework into the DNA of your organisation.